Is Reframe Practice HIPAA-compliant?

Yes. Reframe uses Google Cloud Vertex AI under a signed Business Associate Agreement (BAA). Client data is processed in memory for the generation request and discarded after the response returns. No session content is stored on Reframe servers.

What if I need to recover a worksheet or note?

You cannot recover from our side because we never stored it. Save your worksheets and notes locally or use the browser-based library feature. This is a feature, not a limitation. It means there is nothing to breach.

Can I verify Reframe's zero-retention claims?

Yes. Open your browser's Network Inspector (Developer Tools) while generating a note or worksheet. Watch what data is sent and what comes back. You will see that only the generation request leaves your browser, and no client data is stored afterward. The architecture is designed to be inspectable.

Can I use Reframe with actual client PHI?

Yes. That is what the product is built for. You can include real clinical context, presenting problems, and session details. The data is processed in memory, the note or worksheet is returned to your browser, and nothing is retained on our servers.

Security & Privacy

HIPAA-compliantby physics, not promises.

Q: Does Reframe train AI on my content?

No. Reframe uses Google Vertex AI under a BAA that explicitly prohibits model training on protected health information. Your content is processed for the single request and discarded immediately.

Your session content is processed in memory and discarded after the note or worksheet is returned. Nothing is stored on our servers. Nothing to breach, nothing to subpoena, nothing to leak.

How it works: Your input goes from your browser to Google Vertex AI under a signed BAA for a single generation request. The note or worksheet is returned to your browser. After that, your clinical text is not retained on Reframe servers. The finished output stays in your browser unless you choose to create an encrypted share link.

Reframe Practice is a tool for licensed therapists, not a therapy clinic or counseling service.

Try 10 Free Notes See How It Works

Data Flow

How your data moves (and doesn't stay)

How It Works

Is Reframe HIPAA-compliant?

Yes. Zero-retention architecture means client data is processed in memory and discarded after each request. Nothing is stored, logged, or trained on.

Most AI tools store your data. They promise to protect it with encryption, access controls, and security policies. Those are good things, but they are still promises about data that exists on someone else's server.

We took a different approach. Your session content is processed in memory for a single generation request. After the note or worksheet is returned to your browser, the clinical text is discarded. It is not stored in our database, not written to disk, not retained for any purpose.

Zero client data at rest. Zero to breach. Zero to subpoena.

The Sandcastle Analogy

Think of client data like a sandcastle. Most services build elaborate vaults to protect their sandcastles. We let the tide wash ours away as soon as the worksheet is generated.

You can't steal a sandcastle that doesn't exist.

Verifiable

Do not take our word for it. Check it yourself.

Most security pages ask you to trust them. We would rather you verify. Here is how.

Open your browser Developer Tools

Right-click anywhere on the page, select "Inspect", then click the "Network" tab. This shows every request your browser makes.

Generate a note or worksheet

Use Reframe normally. Type your session summary, select a format, and generate.

Watch the Network tab

You will see one request go out with your input and one response come back with the generated note. That is the entire data flow. No additional requests to storage endpoints. No background syncing.

Refresh the page

Your input is gone. The generated content only exists in your browser. There is nothing on our servers to retrieve because nothing was stored.

We are confident enough to invite you to look.

Reframe was built so you could verify the privacy claims yourself, not just read about them.

What This Means

What this means for you

No data breach risk

If our servers were compromised tomorrow, there would be no client information to steal. It simply isn't there.

No subpoena vulnerability

We can't be compelled to produce client records we don't have. Your therapeutic relationship stays protected.

No third-party access

We can't share, sell, or accidentally expose client data to anyone. Not partners, not advertisers, not anyone.

HIPAA by architecture

Most services are HIPAA-compliant by policy. We're HIPAA-compliant by physics. The data isn't there to protect.

Comparison

How we compare

Feature

Other AI Tools

Reframe

Client data stored

Breach risk

Subpoena vulnerable

Third-party sharing possible

Healthcare agreement (BAA)

HIPAA compliant

Not sure if your current AI tools are HIPAA-compliant?

Use our free HIPAA Checker tool →

Transparency

What we do collect

To be completely transparent, here's what we do store:

Your email address (for account access)
Your therapist profile (name, credentials, practice info)
Usage analytics from non-sensitive pages only
Feedback you explicitly choose to submit
Encrypted share-link data only if you choose to create a secure share link

We do not retain session content, generated notes, worksheets, or other PHI on our servers. If you create a secure share link, we temporarily store only an encrypted blob and link metadata until it expires.

Technical Details

For those who want the details

Encryption

TLS 1.3 for all connections

Processing

Session content is processed in memory for the generation request and discarded after the response returns

Rendering

Notes and worksheets render in your browser, not on our servers

PDF Export

PDF generation happens locally on your device

Local Storage

We cannot access or recover your locally-saved notes or worksheets

Share Links

Optional share links store only encrypted content and link metadata until expiry. The decryption key stays in the URL fragment, not on our servers.

Analytics

Third-party analytics are disabled on tool, dashboard, auth, checkout, and share-link pages

Questions

Security FAQ

Is this really HIPAA-compliant?

Yes. All processing runs through Google Cloud Vertex AI under a signed Business Associate Agreement. Your session content is processed in memory and discarded after the response returns. No clinical text is stored on Reframe servers.

What if I need to recover a note or worksheet?

You cannot recover from our side because we never stored it. Save your notes and worksheets locally or use our browser-based library. This is by design. If we do not have it, it cannot be breached.

Do you train your AI on my content?

No. The BAA with Google Vertex AI explicitly prohibits model training on protected health information. Your content is processed for the single request and discarded immediately.

Can I verify the zero-retention claim myself?

Yes. Open your browser's Network Inspector and generate a note. You will see one request leave your browser and one response return. No additional storage calls, no background syncing. Refresh the page and the input is gone.

Can I use this with actual client PHI?

Yes. That is what the product is built for. You can include presenting problems, session details, and clinical context. The data is processed in memory, the output is returned to your browser, and nothing is retained.

Privacy First

See the architecture in action.

Generate a note, open your Network Inspector, and verify for yourself. 10 free notes, no account required. Nothing stored, nothing to worry about.

Try 10 Free Notes Read the Safety Guide

Zero Retention * BAA Covered * Built by a Therapist